Channels

Services

WhatsApp threatens legal action against API developers

In an apparent reaction to the security vulnerabilities demonstrated by The H's associates at heise Security, the company behind WhatsApp Messenger is taking action against the developers of a library of functions for using the WhatsApp service via a PC. The developers have responded by removing the source code from the web.

However, the popular texting alternative WhatsApp still has a major security problem. Attackers can compromise other users' accounts with relative ease, and send and receive messages from another user's account. In this respect nothing has changed – heise Security was able to successfully repeat its test this morning (Tuesday).

The company behind the service remains tight-lipped about this obvious security problem. Enquiries from heise Security about how they intend to protect their users from having their accounts hacked and what users can do if they fall victim to this problem have so far remained unanswered. This may be because there is no answer to this question. The only means of protection at present is to completely uninstall the app. Instead of making their service secure or at least warning users of the problem, the company remains cloaked in silence.

WhatsApp Inc. has, however, been in touch with the developers behind the GitHub project WhatsAPI, an open source implementation of the WhatsApp protocol written in PHP and Python. The company has threatened to take legal action against the developers if they do not take the project offline. heise Security has been told by one of the developers that they have decided to acquiesce to this request and to cease working on the API.

WhatsApp's ultimatum has not come out of the blue – it was issued shortly after heise Security demonstrated how easy it was to compromise other users' accounts using the API. This does not, however, alter the underlying problem. There is now a web service based on the API which can be used by an attacker to send and receive messages in the name of a WhatsApp user by simply having their phone number and IMEI or Wi-Fi adapter MAC address. Users are advised against using the service, however, as it is quite possible data allowing permanent access to such an account could fall into the wrong hands.

The way it has dealt with this serious problem does not inspire confidence in the company behind the app, which is used by millions of smartphone owners around the world to send more than one billion messages a day.